# sysdig -l
----------------------
Field Class: fd
fd.num the unique number identifying the file descriptor.
fd.type type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix',
'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' or 'signal
fd'.
fd.typechar type of FD as a single character. Can be 'f' for file, 4 for IP
v4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe,
'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for i
notify, 'o' for uknown.
fd.name FD full name. If the fd is a file, this field contains the full
path. If the FD is a socket, this field contain the connection
tuple.
----------------------
Field Class: process
proc.pid the id of the process generating the event.
proc.exe the first command line argument (usually the executable name or
a custom one).
proc.name the name (excluding the path) of the executable generating the
event.
proc.args the arguments passed on the command line when starting the proc
ess generating the event.
proc.env the environment variables of the process generating the event.
proc.cmdline full process command line, i.e. proc.name + proc.args.
proc.exeline full process command line, with exe as first argument, i.e. pro
c.exe + proc.args.
proc.cwd the current working directory of the event.
proc.nthreads the number of threads that the process generating the event cur
rently has, including the main process thread.
proc.nchilds the number of child threads that the process generating the eve
nt currently has. This excludes the main process thread.
----------------------
Field Class: evt
evt.num event number.
evt.time event timestamp as a time string that includes the nanosecond p
art.
evt.time.s event timestamp as a time string with no nanoseconds.
evt.datetime event timestamp as a time string that includes the date.
evt.rawtime absolute event timestamp, i.e. nanoseconds from epoch.
evt.rawtime.s integer part of the event timestamp (e.g. seconds since epoch).
evt.rawtime.ns fractional part of the absolute event timestamp.
evt.reltime number of nanoseconds from the beginning of the capture.
evt.reltime.s number of seconds from the beginning of the capture.
evt.reltime.ns fractional part (in ns) of the time from the beginning of the c
apture.
evt.latency delta between an exit event and the correspondent enter event,
in nanoseconds.
----------------------
Field Class: user
user.uid user ID.
user.name user name.
user.homedir home directory of the user.
user.shell user's shell.
----------------------
Field Class: group
group.gid group ID.
group.name group name.
----------------------
Field Class: syslog
syslog.facility.str
facility as a string.
syslog.facility facility as a number (0-23).
syslog.severity.str
severity as a string. Can have one of these values: emerg, aler
t, crit, err, warn, notice, info, debug
syslog.severity severity as a number (0-7).
syslog.message message sent to syslog.
----------------------
Field Class: container
container.id the container id.
container.name the container name.
container.image the container image.
container.type the container type, eg: docker or rkt
----------------------
Field Class: fdlist
fdlist.nums for poll events, this is a comma-separated list of the FD numbe
rs in the 'fds' argument, returned as a string.
fdlist.names for poll events, this is a comma-separated list of the FD names
in the 'fds' argument, returned as a string.
fdlist.cips for poll events, this is a comma-separated list of the client I
P addresses in the 'fds' argument, returned as a string.
fdlist.sips for poll events, this is a comma-separated list of the server I
P addresses in the 'fds' argument, returned as a string.
fdlist.cports for TCP/UDP FDs, for poll events, this is a comma-separated lis
t of the client TCP/UDP ports in the 'fds' argument, returned a
s a string.
fdlist.sports for poll events, this is a comma-separated list of the server T
CP/UDP ports in the 'fds' argument, returned as a string.
----------------------
Field Class: k8s
k8s.pod.name Kubernetes pod name.
k8s.pod.id Kubernetes pod id.
k8s.pod.label Kubernetes pod label. E.g. 'k8s.pod.label.foo'.
k8s.pod.labels Kubernetes pod comma-separated key/value labels. E.g. 'foo1:bar
1,foo2:bar2'.
k8s.rc.name Kubernetes replication controller name.
k8s.rc.id Kubernetes replication controller id.
k8s.rc.label Kubernetes replication controller label. E.g. 'k8s.rc.label.foo
'.
k8s.rc.labels Kubernetes replication controller comma-separated key/value lab
els. E.g. 'foo1:bar1,foo2:bar2'.
k8s.svc.name Kubernetes service name (can return more than one value, concat
enated).
k8s.svc.id Kubernetes service id (can return more than one value, concaten
ated).
----------------------
Field Class: mesos
mesos.task.name Mesos task name.
mesos.task.id Mesos task id.
mesos.task.label
Mesos task label. E.g. 'mesos.task.label.foo'.
mesos.task.labels
Mesos task comma-separated key/value labels. E.g. 'foo1:bar1,fo
o2:bar2'.
mesos.framework.name
Mesos framework name.
mesos.framework.id
Mesos framework id.
marathon.app.name
Marathon app name.
marathon.app.id Marathon app id.
marathon.app.label
Marathon app label. E.g. 'marathon.app.label.foo'.
----------------------
Field Class: span
span.id tracer ID. This is a unique identifier that is used to match th
e enter and exit tracer events for this span. It can also be us
ed to match different spans belonging to a trace.
span.time time of the span enter tracer as a time string that includes th
e nanosecond part.
span.ntags number of tags that this span has.
span.nargs number of arguments that this span has.
span.tags dot-separated list of the span's tags.
span.tag one of the span's tags, specified by 0-based offset, e.g. 'span
.tag[1]'. You can use a negative offset to pick elements from t
he end of the tag list. For example, 'span.tag[-1]' returns the
last tag.
----------------------
Field Class: evt
evtin.span.id (FILTER ONLY) the ID of the trace span containing the event.
evtin.span.ntags
(FILTER ONLY) the number of tags of the trace span containing t
he event.
evtin.span.nargs
(FILTER ONLY) the number of arguments of the trace span contain
ing the event.
evtin.span.tags (FILTER ONLY) the comma-separated list of tags of the trace spa
n containing the event.
evtin.span.tag (FILTER ONLY) one of the tags of the trace span containing the
event, specified by offset. E.g. 'evtin.span.tag[1]'. You can u
se a negative offset to pick elements from the end of the tag l
ist. For example, 'evtin.span.tag[-1]' returns the last tag.

Sysdig’s chisels are little scripts that analyze the sysdig event stream to perform useful actions. If you’ve used system tracing tools like dtrace, you’re probably familiar with running scripts that trace OS events. Usually, with dtrace-like tools you write your scripts using a domain-specific language that gets compiled into bytecode and injected in the kernel. Sysdig uses a different approach: events are efficiently brought to user-level, enriched with context, and then scripts can be applied to them. This brings several benefits:

A well known scripting language can be used instead of a custom one. In fact, sysdig’s chisels are Lua scripts. Lua is well known, powerful, stable and extremely efficient.

Chisels can leverage the broad collection of Lua libraries.

Chisels work well on live systems, but can also be used with capture files for offline analysis.

# sysdig -cl
Category: Application
---------------------
httplog HTTP requests log
httptop Top HTTP requests
memcachelog memcached requests log
Category: CPU Usage
-------------------
spectrogram Visualize OS latency in real time.
subsecoffset Visualize subsecond offset execution time.
topcontainers_cpu
Top containers by CPU usage
topprocs_cpu Top processes by CPU usage
Category: Errors
----------------
topcontainers_error
Top containers by number of errors
topfiles_errors Top files by number of errors
topprocs_errors top processes by number of errors
Category: I/O
-------------
echo_fds Print the data read and written by processes.
.....
# root at shanker in ~ [1:52:57]
# sysdig -i echo_fds
Category: I/O
-------------
echo_fds Print the data read and written by processes.
Print the data read and written for any FD. Combine this script with a filter t
o restrict what it shows. This chisel is compatible with containers using the s
ysdig -pc or -pcontainer argument, otherwise no container information will be s
hown. (Blue represents [Write], and Red represents [Read] for all data except
when the -pc or -pcontainer argument is used. If used the container.name and co
ntainer.id will be represented as: Green [host], and Cyan [container]) Containe
r information will contain '[]' around container.name and container.id.
Args:
[string] disable_color - Set to 'disable_colors' if you want to
disable color output